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Abstract 

The Vernam cipher (or one-time pad) has played an important rule in 
cryptography because it is a perfect secrecy system. For example, if an 
English text (presented in binary system) X1X2... is enciphered according 
to the formula Zi = (Xi + Yi) mod 2, where YxY'i--- is a key sequence 
generated by the Bernoulli source with equal probabilities of and 1, 
anyone who knows Z\Z2--- has no information about X1X2... without the 
knowledge of the key Y\Y2.... (The best strategy is to guess X1X2... not 
paying attention to Z\Z2----) 

But what should one say about secrecy of an analogous method where 
the key sequence Y{Y2... is generated by the Bernoulli source with a small 
bias, say, P(0) = 0.49, P(l) = 0.51? To the best of our knowledge, 
there are no theoretical estimates for the secrecy of such a system, as well 
as for the general case where X1X2... (the plaintext) and key sequence 
are described by stationary ergodic processes. We consider the ruiming- 
key ciphers where the plaintext and the key are generated by stationary 
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ergodic sources and show how to estimate the secrecy of such systems. 
In particular, it is shown that, in a certain sense, the Vernam cipher is 
robust to smaU deviations from randomness. 

Keywords: running-key cipher, Vernam cipher. Shannon entropy, uncondi- 
tional secrecy. 

1 Introduction 

We consider the classical problem of transmitting secret messages from Alice (a 
sender) to Bob (a receiver) via an open channel which can be accessed by Eve 
(an adversary). It is supposed that Alice and Bob (and nobody else) know a 
so-called key K which is a word in a certain alphabet. Before transmitting a 
message Alice encrypts it. In his turn, Bob, after having received the encrypted 
message (ciphertext), decrypts it to recover the initial text (plaintext). 

We consider so-called running- key ciphers where the plaintext Xi...Xt, the 
key sequence Yi...Yt and ciphertext Z\...Zt belong to one alphabet A (without 
loss of generality we suppose that A = {0, 1, n — 1}, where n > 2. The i — th 
letter of the ciphertext is defined by Zi ~ c{Xi^Yi), i = l,...,t, whereas the 
deciphering rule is by Xi = d{Zi,Yi), i — l,...,t, i.e. d{e{Xi,Yi),Yi) = Xi. 
Here c and d are functions called coder and decoder, correspondingly. Quite 
often the following particular formula are used 



i.e. c{Xi,Yi) = (Xi + Yi) mod n, d{Zi,Yi) = {Zi — Yi) mod n. In a case of 
two-letter alphabet ([l} can be presented as follows: 



Z, = (X, + Yi) mod n, Xi = {Z,- K,) mod n , 



(1) 



Z, = {X,®Y,), X, = {Z,®Yi) 



(2) 
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where a(Bb = {a + b) mod 2. 

It is important to note that we consider a so-caUed unconditional (or information- 
theoretical) security. That is, the cipher is secure even when Eve has unlimited 
computing power. Roughly speaking, if the unconditionally secure cipher is 
used. Eve has many highly probable possible versions of a plaintext and, hence, 
cannot choose the real plaintext from them. The following informal consid- 
eration helps to understand the main idea of an approach considered later: 
Let there be two unconditionally secure ciphers which can be applied to one 
plaintext. Imagine, that for the first cipher Eve has 10 equiprobable possible 
deciphering texts whose overall probability equals 0.999, whereas for the second 
cipher there are 100 equiprobable deciphering texts with the same overall proba- 
bility. Obviously, the second system is more preferable, because the uncertainty 
of Eve is much larger for the second system. This informal consideration is quite 
popular in cryptography [3 13 IS] and we will estimate the security of a cipher by 
the logarithm of the total number of (almost) equiprobable possible deciphering 
texts whose overall probability is close to 1. 

The running-key cipher ^ is called the Vernam cipher (or one-time pad) 
if any word ki...kt, ki G A, is used as the key word with probability i.e. 
P{Yi...Yt ~ ki...kt) = n^* for any ki...kt G A*. In other words, we can say 
that the key letters are independent and identically distributed (i.i.d.) and 
probabilities of all letters are equal. 

The Vernam cipher is one of the most popular among the unconditionally 
secure running-key ciphers. It has played an important rule in cryptography, 
especially since C.Shannon proved that this cipher is perfectly secure [9]. That 
is, the ciphertext Z\...Zt gives absolutely no additional information about the 
plaintext X\...Xt. This fact can be interpreted as follows: a priori probability 
of a plaintext is the same as a posteriori probability of a plaintext given the 
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corresponding ciphcrtcxt \W . Using Shannon entropy, it can be expressed by 
the following equation h{Xi...Xt) = h{Xi...Xt\Zi...Zt), where h{Xi...Xt) and 
h{Xi...Xt\Zi...Zt) are the entropy of the plaintext and the conditional entropy of 
the plaintext given the ciphertext Z\...Zt, correspondingly (they will be defined 
below). For example, if one uses the Vernam cipher ([2]) to cipher an English 
text presented, say, in standard 7-bit binary ASCII, Eve can try to guess the 
plaintext not paying attention on the ciphertext. 

It was shown by Shannon that any perfectly secure system must use the 
secret key whose length equals the plaintext length. That is why many authors 
considered the problem of security of systems where either the length of the 
key or its entropy is less than the length (or entropy) of the plaintext, see, for 
example, [U UJ [51 [SJ [71 [S] and reviews therein. But, in spite of numerical papers, 
some seemingly natural questions are still open. For example, what can we 
say about secrecy of the system ^ where it is applied to an English text (in 
binary presentation) and the key sequence is generated by the Bernoulli source 
with a smaU bias, say, P{Y^ = 0) = 0.51, P{Yi = 0) = 0.49. (Informally, it is 
"almost" Vernam cipher) . To the best of our knowledge, there are no theoretical 
estimates for the security of such a system, as well as for the general case where 
the plaintext and key are described as stationary ergodic processes. 

In this paper we consider this problem for running-key ciphers ([1]) in a case 
where the plaintext X\...Xt and the key sequence Y\..Yt are independently 
generated by stationary ergodic sources and the entropy of the key can be less 
than maximally possible value logn per letter (here and below log = log2). 
The goal of the paper is to find simple estimates of secrecy for such systems. 
We would like to emphasize that the unconditional secrecy is meant, i.e. it is 
supposed that Eve has unlimited computational power and unlimited time for 
computations. 
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It is worth noting that Shannon in his famous paper [5] mentioned that the 
problem of deciphering of a ciphertext and the problem of signal denoising are 
very close from mathematical point of view. In this paper we use some results 
obtained in [S] considering the problem of denoising. 

2 Preliminaries 

We consider the case where the plaintext X ^ Xi, X2 , ■ ■ ■ and and the key 
sequence 11,12,... are independently generated by stationary ergodic processes 
with the finite alphabets A — {0, 1, n — 1}, n > 2. 

The m— order Shannon entropy and the limit Shannon entropy are defined 
as follows: 



where m > , Px{u) is the probability that XiX2.-.X\u\ = u (this limit always 
exists, see, for ex., [21 [3]). Introduce also the conditional Shannon entropy 



The Shannon-McMillan-Breiman theorem for conditional entropies can be 
stated as follows. 

Theorem 1 (Shannon-McMillan-Breiman). Ve > 0,V(5 > 0, for almost all 
Zi, ■ ■ there exists n' such that if n > n' then 




Px {u) log Px{u), h{X)= hm hr^{X) (3) 



h^{X\Z) = h^{X,Z) - h„,{Z), h{X\Z) = lim h„,{X\Z) 



(4) 




(5) 



The proof can be found in 'S} [3] . 
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3 Estimations of secrecy 

Theorem 2. Let a plaintext X — X1X2, ■ ■ ■ and the key sequence Y = Y1Y2, . ■ . 
be stationary ergodic processes with a finite alphabet A = {0, 1, n — 1}, n>2, 
and let a running-key cipher be applied to X and Y and Z = Zi^ Z2, ■ ■ ■ he the 
ciphertext. Then, for any £ > and ^ > there is such an integer n' that, with 
probability 1, for any t > n' and Z = Z\, Z2, ■ ■ - Zt there exists the set ^'(^) for 
which the following properties are valid: 
i) P{-^{Z)) >l-5 

II) for any X^ ^ Xl . . . , X^ X^ = Xl . . . , X^ from ^{Z) 

P |i \\ogP{X'\Z) ~ logP{X^\Z)\ < e| 

III) liminft^oo ilog|*(Z)| > h{X\Z) . 

Proof. According to Shannon-McMillan-Breiman theorem for any e > 0,S > 
and almost all Zi, Z2, . . . there exists such n' that for t > n' 



P 



Let us define 



J \ogP{X^X2...Xt\ZiZ2...Zt) - h{X\Z) 



<e/2\>l-5. (6) 



= {X = X^X2...Xt : P{XiX2...Xt\ZiZ2...Zt) - h{X\Z)\ < e/2} . (7) 

The first property i) immediately follows from (jS]). In order to prove ii), note 
that for any X^ ^ Xl,..., X} , X"^ = , . . . , X} from we obtain from 



\ |logP(Xi|Z) - \ogP[X^\Z)\ < J \\ogP{X^\Z) - h{X\Z)\ 
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+ - \\ogP{X^\Z) - h{X\Z)\ < e/2 + e/2 = e. 

From dZl) and the property i) we obtain the followmg: |*(Z)| > (l-(5)2* ('^(^\^)-^) 
Taking into account that it is vahd for any e > 0, (5 > and t > n' , we obtain 
iii). □ 

So, we can see that the set of possible decipherings '^{Z) grows exponentially, 
its total probability is close to 1 and probabilities of words from this set are close 
to each other. 

Theorem 2 gives a possibility to estimate an uncertainty of a cipher based 
on the conditional entropy h{X\Z). Sometimes it can be difficult to calculate 
this value because it requires knowledge of the conditional probabilities. In this 
case the following simpler estimate can be useful. 

Corollary 1. For almost all ZiZ^.-. 

liminf ilog|*(Z)| > h{X)^h{Y) -logn. 

Proof. From the well-known in Information Theory equation h(X, Z) = h{X) + 
h{Z\X) (see (2i(3j) we obtain the following: 

h{X\Z) = h{X, Z) - h{Z) = h{Z\X) + h{X) - h{Z). 

Having taken into account that max/i(Z) = logn ([11 [3]), where n is the num- 
ber of alphabet letters, we can derive from the latest equation that h{X\Z) > 
h{Z\X) + h{X) — logn. The definition of the running-key cipher ([T]) shows that 
h(Z\X) = h(Y). Taking into account two latest inequalities and the third state- 
ment iii) of Theorem 2 we obtain the statement of the corollary. □ 

Comment. In Information Theory the difference between maximal value 
of the entropy and real one quite often is called the redundancy. Hence, from 
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the corollary we have new followmg presentations for the value j log |^'(Z)|: 
liminf-log|*(Z)| > h{X)-rY , liminf i log |*(Z)| > h{Y) ~ rx , 

t—>oo t t—>-oo t 

liminf - log |*(^)| > logn - {rx + ry) , (8) 

t— >oo t 

where ry = logn — h{Y) and rx = logn — h{X) are the corresponding redun- 
dancies. 

Those inequalities confirm the well-known in cryptography and Information 
Theory fact that reduction of the redundancy improves the safety of ciphers. 

Let us return to the first question of this note about the Vernam cipher 
with a biased key sequence. More precisely, let there be a plaintext X1X2..., 
Xi e {0,1} and the key sequence Y1Y2..., Yi £ {0,1}, generated by a source 
whose entropy h{Y) is less then 1. {h{Y) = 1 if and only if YiY2... generated by 
the Bernoulli source with letter probabilities P(0) = -P(l) = 0.5, [21 B])- From 
^ we can see that the size of the set '^'{Z) of high-probable possible decipherings 
grows exponentially with exponent grater than h{X) — rY, where ry = l — h{Y). 
So, if ry goes to 0, the size of the set of possible probable decipherings trends 
to the size of this set for the case of "pure" Vernam cipher. Indeed, if h{Y) = 1 
and, hence, ry = 0, the set '^{Z) of high-probable possible decipherings grows 
exponentially with exponent h{X), as it should be for the Vernam cipher. For 
example, it is true for the case where the key sequence YiY2... is generated by 
the BernuUi source with biased probabilities, say P{0) = 0.5 — r, P{1) = 0.5 + t, 
where r is a small number. If r goes to 0, the redundancy ry goes to 0, too, 
and we obtain the Vernam cipher. So, we can informally say that the Vernam 
cipher is robust to small deviations from randomness. 
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